My name is Charles, I went to the Midwest Management Summit back in May 2019. It was my second time attending the conference. You might remember me as “that guy who has no remote users” 🙂
I said I would blog about a tip I talked about shortly after the conference… This blog post is about 7 months late, I’m sorry!
So for those that do not know this conference, there is a session where anyone can go up on stage and present an IT-related tip or trick.
I went on the stage to talk very briefly about a rather important detail that you need to know when you deal with a disconnected/offline WSUS server: You need to track your update approvals on your internet-connected WSUS server.
On your disconnected WSUS server, you must not approve an update that was not approved on your internet-connected WSUS server or you will have issues.
Microsoft’s official documentation regarding setting up a disconnected WSUS instance can be summarized with the following 3 steps:
- Matching advanced configuration:
- Express updates: If you want to use express updates, make sure that both the internet-connected WSUS and the disconnected WSUS instances have the same setting configured
- Languages: Make sure that you select the same languages for update files
- WsusContent: This one is simple, just copy the “WsusContent” folder on the internet-connected WSUS to the disconnected one.
- Metadata: Export & Import the WSUS metadata with wsusutil.exe import/export
OK, so you made sure that you have the same advanced configuration, you copied the “WsusContent” folder and you imported the metadata from your internet-connected WSUS server… now what?
Well, now you have a bunch of unapproved updates in your WSUS Console on your disconnected WSUS Server. You don’t know which ones were approved or declined on the internet-connected WSUS.
The next part is from my personal experience… If you approve a bunch of updates and some are missing the associated content, WSUS gets stuck. In your WSUS console, it will show that you have thousands of updates “needing files”. What’s happening here is that you approved updates for which your disconnected WSUS does not have the content. In a normal scenario, WSUS would simply download the content from Microsoft. In our case, the WSUS server simply gets stuck there because some updates are missing files. And for some &*%!$% reason, WSUS will not skip over and verify the other updates once it gets stuck with a couple of updates missing content.
Make sure that the same approvals are mirrored on your disconnected WSUS instance.
And when I say update approvals, I mean which updates were declined and which updates were approved.
“OK, I will create the same automatic approval rules on my disconnected WSUS. Done.”
Sure, that might work if you don’t do any kind of cleanup on your WSUS instance. There are various solutions online of scripts that people use to decline/delete updates they don’t need (Itanium, Ia64, superseded updates, etc.)
The automatic approval rules criteria in WSUS are very basic and you will end up approving updates on your disconnected WSUS that are declined on your internet-connected. Ask me how I know…
I personally use Bryan Dam’s software update maintenance script, see his blog posts here and here. This script was originally written to maintain SCCM software update point WSUS instances but later he added the WSUS Standalone mode which I’m using for my WSUS Servers.
I won’t go into details here about which updates I’m declining and whatnot. Just know that if you use a WSUS Server, you should probably have some sort of maintenance script running regularly or you will have a bad time…
“How am I supposed to keep track of all the updates that I declined/approved?”
With PowerShell we can get the information we want and it’s possible to script this so that we can export and import the update approvals.
When you’re ready to do an export of your internet-connected WSUS, you will have to export the metadata, copy the “WsusContent” folder and also get the list of which updates were approved. Make sure you copy all three at the same time to make sure that you have the matching metadata, content and update approvals.
So where I work, the team responsible for copying content over to the disconnected WSUS server is different than the team maintaining WSUS. A procedure was written about how to perform the export and import process but it never worked really well and WSUS crapped itself… many times.
I decided that I had enough with this and tried to automate the process as much as I could.
I wrote a script that I called “Invoke-WSUSImportExportManager”
At first, I simply wanted to automate the following:
- Copy “WsusContent” to $folder
- Copy the WSUS Metadata to $folder
- Record WSUS information in a XML file and copy to $folder
- WSUS Configuration
- WSUS Computer groups hierarchy
- WSUS Update approvals
- Copy “WsusContent”
- Import the WSUS Metadata
- Update WSUS Configuration
- Match the configuration
- Re-create the same computer groups hierarchy
- Approve the same updates to the same computer groups
And then it became bigger and bigger…
On top of doing the import and export process, it also does the following tasks:
- Reindex the WSUS Database
- Adds or Removes the custom indexes (Taken from Bryan Dam’s script)
- Sets a couple of common IIS settings for the WsusPool that should be changed from its default values
- Show locally published updates (third-party updates) in the WSUS console
All these “Actions” that the script performs are customizable.
The script is available on GitHub here. I tried to explain how the script works in the readme but feel free to ask me any questions if you need more information.
Note: My PowerShell skills are not super awesome so I’m sorry for the state of the scripts. If you have some feedback/suggestions regarding that, please let me know and I’ll try my best to improve the scripts.